Status

()

For bugs in Firefox Desktop, the Mozilla Foundation's web browser. For Firefox user interface issues in menus, bookmarks, location bar, and preferences. Many Firefox bugs will either be filed here or in the Core product. Bugs for developer tools (F12) should be filed in the DevTools product. (more info)

Created attachment 290377[details]
paste2.html
middle clicking on linux opens new tab and is common activity.
1. middle clicking on (possible css decorated input looking like a link) steals the current selection which may be confidentail info like porn url
this is paste2.html
2. tricking the user into selecting a javascript: text (possibly hidden via css) and then middle clicking in other tab/window leads to same origin violation
this is paste1.html
if the current selection is "file:///" middle click on nonlink opens "file:///"

We should definitely disable the "middle-click = paste and go" behavior for javascript: URLs, and we should try to make it safe for data: URLs.
I don't think we can fix the other problem except by disabling one of the middle-click behaviors (either disabling its "paste" behavior or disabling its "open link in new tab" behavior).

Hmm. This is a tricky problem. I'm not sure what to do about it...
Seem like we can't do the obvious thing of disabling middle-click paste -- or middle-click opens a link -- because both of those would be breaking commonly used functionality. [Though there's something to be said for Linux desktops moving away from the old X-style clipboard, and middle-click being something a lot of people still haven't learned about].
I can't think of any obvious solution to disable pasting in certain cases (eg, unless a textarea is focused) that wouldn't just be easily bypassed.
So, seeking ideas as we're stuck.

I'd chalk this up to being a general problem for Linux, and not try to fix it. Middle-click to paste was always a brain-dead thing to do, especially having multiple clipboards, automatically adding selected text to one of the two clipboards, oh my. Don't get me started. ;)
If Linux ever becomes a mainstream consumer platform, we can revisit this, but for now I'd just recommend leaving this alone. If you're worried about it as an end user, don't use middle click.

> If Linux ever becomes a mainstream consumer platform, we can revisit this,
> but for now I'd just recommend leaving this alone. If you're worried about
> it as an end user, don't use middle click.
Or set middlemouse.paste to false.

I concur with the last few comments.
We may want to investigate disabling the middle-click-to-load behavior (middlemouse.contentLoadURL) by default on Linux in the future, but many users depend on the functionality, and given the choice, probably would opt to play their luck with someone doing this kind of trick rather than losing the functionality.
Since the likelihood of this being abused is low, and the result of the abuse is not that serious most of the time (clipboard contents can be sensitive, but they most often aren't), WONTFIX.